NSE7_OTS-7.2 Risk Assessment

Risk Assessment Detailed Explanation

Risk assessment is a systematic process that helps organizations identify, evaluate, and mitigate potential threats to their OT (Operational Technology) network. It ensures that risks are managed proactively to minimize the impact of security incidents.

Definition

Risk assessment involves:

1. Identifying potential threats within the OT network.
2. Evaluating these risks based on their likelihood and potential impact.
3. Mitigating risks through proactive measures like patching, firewall rules, and incident response planning.

The goal is to protect critical assets and maintain operational continuity.

Core Concepts

1. Risk Identification

The first step in risk assessment is recognizing all possible threats that could impact the OT network.

Categories of Threats

1. External Threats:

   • Examples:
     • Malware: Ransomware targeting OT devices.
     • DDoS (Distributed Denial of Service): Overloading critical systems to disrupt operations.

2. Internal Threats:

   • Examples:
     • Misconfigurations: Leaving critical devices exposed to unnecessary risks.
     • Privilege Misuse: Employees or contractors accessing systems they shouldn’t.

Why Identification Matters

• Knowing the threats helps you allocate resources effectively.
• For example, if external attacks are the primary concern, focus on strengthening perimeter defenses.

2. Risk Evaluation

Once threats are identified, they must be evaluated to understand their significance.

Key Methods for Evaluation

1. Risk Matrix:

   • A risk matrix is a visual tool that helps rate threats based on:
     • Likelihood: How likely is the threat to occur?
     • Impact: How severe would the consequences be?
   • Example:
     • A ransomware attack on a SCADA server might have high impact but low likelihood if strong defenses are in place.

2. Vulnerability Scanning:

   • Regularly scan devices and applications to identify weaknesses that attackers could exploit.
   • Tools like Nessus or FortiSIEM can identify:
     • Outdated firmware.
     • Misconfigured devices.

Why Evaluation Matters

• Helps prioritize threats that require immediate action.
• Example:
  • A vulnerability in a PLC controlling critical infrastructure may need urgent mitigation compared to a low-priority system.

3. Risk Mitigation

After evaluation, steps must be taken to reduce or eliminate identified risks.

Key Mitigation Strategies

1. Prioritize Critical Assets:

   • Focus on protecting systems that are essential to operations.
   • Example:
     • Ensure SCADA systems have the strongest defenses.

2. Firewall Rules:

   • Create rules to restrict unauthorized access to sensitive systems.
   • Example:
     • Allow only specific IP addresses to communicate with PLCs.

3. Patch Management:

   • Regularly update device firmware and software to fix known vulnerabilities.
   • For systems that cannot be updated (e.g., legacy equipment), use virtual patching to block exploit attempts.

Why Mitigation Matters

• Prevents threats from becoming incidents.
• Example:
  • By patching a vulnerability in a PLC, you block attackers from exploiting it.

4. Incident Response Planning

Even with strong defenses, incidents can still occur. Having a plan in place ensures a quick and effective response.

Steps for Incident Response Planning

1. Detection and Analysis:

   • Identify when and how a threat is detected.
   • Example:
     • An alert from FortiSIEM about unusual traffic.

2. Containment:

   • Limit the spread of the incident.
   • Example:
     • Isolate a compromised device from the network.

3. Eradication and Recovery:

   • Remove the threat and restore normal operations.
   • Example:
     • Reinstall firmware on a compromised device.

4. Post-Incident Review:

   • Analyze what went wrong and update policies to prevent future occurrences.

Why Incident Response Matters

• Minimizes downtime and operational impact.
• Ensures lessons are learned to improve defenses.

Key Technologies

1. FortiAnalyzer

• Collects and analyzes logs to identify vulnerabilities and threats.
• Generates detailed reports for risk assessment and compliance.

2. FortiSIEM

• Aggregates data from multiple sources to detect and prioritize risks.
• Offers real-time monitoring and alerts for potential incidents.

3. Third-Party Tools (e.g., Nessus)

• Perform automated vulnerability scans to identify exploitable weaknesses in devices and applications.

Practical Applications

1. Create an Annual Security Review Plan

• Conduct a comprehensive review of your OT network’s security posture every year.
• Example:
  • Identify new vulnerabilities and update mitigation strategies.

2. Regularly Update Security Policies

• Adapt policies to address evolving threats.
• Example:
  • Add specific firewall rules for newly deployed devices.

Why Risk Assessment is Critical

1. Improves Preparedness:
   • By identifying and addressing risks proactively, organizations reduce the likelihood of security incidents.
2. Protects Critical Assets:
   • Focuses resources on defending the most important systems.
3. Ensures Compliance:
   • Meets regulatory requirements for risk management in OT environments.

Summary

Risk assessment is a proactive process that helps organizations manage potential threats effectively. By identifying risks, evaluating their impact, mitigating vulnerabilities, and planning for incidents, you can minimize security incidents and ensure operational continuity. Tools like FortiAnalyzer and FortiSIEM make this process efficient, while regular reviews and policy updates keep defenses strong.

Risk Assessment (Additional Content)

1. Asset Classification and Risk Matrix Integration

While risk assessment involves identifying threats and evaluating their impact, it's essential to tie risks to the value and function of specific assets. Not all devices in an OT network carry the same criticality.

Asset Impact Categories

1. High-Impact Assets

• Devices whose compromise would directly affect safety, uptime, or production.
• Examples:
  • SCADA servers
  • PLCs controlling safety mechanisms
  • Data historians feeding compliance reports

2. Medium-Impact Assets

• Devices that support critical functions but are not directly involved in process control.
• Examples:
  • HMIs
  • Engineering laptops
  • Workstations for diagnostics

3. Low-Impact Assets

• Devices with minimal effect on operations.
• Examples:
  • Printers
  • IP cameras
  • Non-critical IoT sensors

Application in Risk Matrix Prioritization

When using a risk matrix (Likelihood × Impact), high-impact assets must always be evaluated and mitigated first, even if the threat likelihood is relatively low.

Example:
A low-likelihood vulnerability on a SCADA server poses more overall risk than a high-likelihood vulnerability on a non-critical printer.

Why This Matters in Exams

Many questions ask you to determine which asset to secure first or which threat deserves the most immediate response. Asset classification drives that decision.

2. Quantitative vs Qualitative Risk Assessment

Risk evaluation can follow two primary methodologies, and understanding both is essential for choosing the correct method in a given scenario.

Qualitative Risk Assessment

• Uses subjective scales such as High, Medium, or Low.
• Commonly used when numerical data is limited.
• Effective for quick decision-making and visual risk heat maps.

Example:
“A malware outbreak on an engineering workstation is medium impact, high likelihood.”

Quantitative Risk Assessment

• Uses numerical models to estimate risk in measurable terms (e.g., monetary loss, downtime hours).
• Requires more data (e.g., cost of downtime, historical attack frequency).

Example:
“If a SCADA server failure causes $10,000/hour in downtime and the chance of attack is 5% per year, the annual risk exposure is $500.”

Which One to Use?

• Qualitative: When decisions must be made quickly or data is limited.
• Quantitative: When precise investment justification is needed, such as budget requests for controls.

Why This Matters in Exams

You may be asked:

“Your team has limited time and resources. Which risk assessment method allows for faster prioritization?”

The correct answer would typically be qualitative, unless the question specifies that cost/ROI analysis is required.

3. Integration with Other Security Modules

Risk assessment is not a standalone process—it is the foundation for implementing practical controls via other security mechanisms.

Operational Flow: From Risk to Response

1. Risk Identification

• FortiSIEM detects abnormal Modbus write attempts to a PLC.
• This is logged as a high-likelihood, high-impact event based on the device role.

2. Access Control Enforcement

• FortiNAC or FortiGate automatically revokes access or isolates the device via VLAN reassignment or firewall rules.

3. Segmentation Tuning

• Based on the risk profile, additional restrictions are applied to the conduit where the threat originated.

4. Protection Adjustment

• IPS signatures are updated or tuned to block related exploits in real time.

Closed-Loop Security Model

• Risk assessment feeds directly into:
  • Access policy design
  • Firewall rulesets
  • IPS/DPI configurations
• Feedback from monitoring tools (SIEM/logging) enhances the risk model continuously.

Why This Matters in Exams

You may encounter scenario-based questions like:

"FortiSIEM detects repeated failed login attempts on a PLC. Which action should be prioritized to mitigate this risk?"

The ideal answer involves cross-functional coordination, such as isolating the PLC (Access Control), adjusting firewall rules (Protection), and raising its risk level (Assessment feedback).